Skip to main content
banner image
venafi logo

Why Wildcard Certificates Aren’t that Easy to Manage [And What You Can Do About It]

Why Wildcard Certificates Aren’t that Easy to Manage [And What You Can Do About It]

wildcard certificates
July 12, 2018 | Sandra Chrust

Wildcard SSL certificates have risen in popularity because organizations use them to save money and because they can be more convenient to use. But time and money savings may not always live up to all they promise and often come at a cost (and it’s not just about security). What are wildcard certificates? As Nick Hunter, senior technical manager for Venafi, wrote in a recent blog post: “A wildcard certificate is a public key certificate used by all subdomains within a larger domain. Using a wildcard certificate on a publicly facing webserver, you can quickly secure unlimited subdomains that are all encrypted by the same certificate. Unfortunately, so can cybercriminals.”

I’ve mentioned in a previous blog that SSL/TLS wildcard certificates are inherently less secure because of their broad usage across domains. They may be easy to use, but they also open the door to an increased risk of phishing attacks, exposure to certificate expiry-based outages, and ongoing certificate management challenges that may not surface until it’s too late.

Ease of management is often a reason why organizations start to use wildcard certificates, yet this may also become a reason why they stop using these certificates. Let’s explain why. Managing wildcard certificates becomes especially challenging when a single certificate is being used across many websites or critical business infrastructure.

Walter Goulet, product manager for Venafi, explains, “when a wildcard certificate is deployed widely, there is an inability to schedule expiration rates around high traffic usage periods of business-critical infrastructure. As a result, when that wildcard certificate nears expiration you need to coordinate renewal and installation on all systems that are using that certificate at the same time, or at least start the renewal and replacement process well before the certificate expires which reduces the effective lifetime of the wildcard certificate.

In healthcare, for example, organizations often have a no-touch policy on infrastructure that supports open enrollment for a period of two to three months. This concept also applies to retail organizations like Walmart and Target who have IT blackout periods around Black Friday and the holidays. Unfortunately, with wildcard certificates, when you have one certificate that is used to secure a large number of applications and services, management becomes a real nightmare and critical infrastructure may need to be maintained during no-touch periods putting your business at risk of disruption.”

If you are looking to improve your security posture by replacing your wildcard certificates or need help finding where your wildcard certificates are installed, Venafi has developed a cloud-based solution that can help you.

Venafi as a Service helps you find your wildcard certificates, see where they are installed and replace them.

If you aren’t sure what to replace your wildcard certificate with, we’ve got a few recommendations. There are two main types of certificates we recommend replacing your wildcard certificates with to improve security.

  • First, the most secure thing to do is to have a single certificate associated with a domain since if that certificate is compromised, the resulting exposure will be limited to only one domain.
  • The second option is to use a Subject Alternative Name (SANs) certificate for those customers that are using load balancers that are serving multiple websites from the same infrastructure. With a SANs certificate you can associate it with multiple sub-domains, e.g.,, and

At Venafi, we want to help solve the underlying issues that might cause you to use wildcard certificates by making it easy for you to get and deploy certificates. We believe that automation is the future for certificates and the more intelligence you build into the process, the less value a wildcard certificate offers. Take the first step in identifying your wildcard certificate exposure with our certificate discovery capabilities and start easing the hidden costs of wildcard certificate management.


Related posts

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Sandra Chrust
Sandra Chrust

Sandra Chrust writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more